b'          Smithsonian Institution\n\n          Office of the Inspector General\n\n\n\n\n  Date    March 4, 2013\n\n    To    Albert Horvath, Under Secretary for Finance and Administration and Chief\n           Financial Officer\n          Deron Burba, Chief Information Officer\n\n    cc\t   Patricia Bartlett, Chief of Staff, Office of the Secretary \n\n          Judith Leonard, General Counsel\n\n          Rebecca Hutchings, Acting Director of IT Security\n\n\n  From    Scott S. Dahl, Inspector General\n\nSubject   Management Advisory Regarding Portable Computer Encryption (M-13-01)\n\n\n          INTRODUCTION\n\n          In our fiscal year 2010 FISMA review of the Smithsonian\xe2\x80\x99s information\n          security program (Smithsonian Institution Information Security Program,\n          March 15, 2011, Report No. A-10-01), we found that the Smithsonian was\n          not enforcing its policy requiring that all mobile devices that may be used to\n          store sensitive information be encrypted. We recommended that the\n          Smithsonian implement controls to ensure that policy is enforced.\n\n          In a memorandum dated September 30, 2012, management informed us\n          that it implemented the recommendation and requested that we close it. To\n          determine if the actions management took were effective, we examined a\n          sample of portable computers in units that routinely handle sensitive\n          information. We found that most of the portable computers we tested were\n          not encrypted. Management needs to ensure that portable computers that\n          may be used to store sensitive information are properly encrypted. In\n          addition, management needs to ensure that users are aware if a laptop is\n          unencrypted and that it should not be used to store sensitive information.\n          Therefore, we are keeping the recommendation open and making three more\n          recommendations to assist management in implementing the original one.\n\n          BACKGROUND\n\n          The Office of Management and Budget issued Memorandum M-06-16 in June\n          2006 requiring all executive departments and agencies to encrypt all data on\n          mobile computers/devices which carry agency data, unless the data is\n          determined to be non-sensitive, in writing, by the Deputy Secretary or\n          designee. The Smithsonian is not required to follow OMB memorandums but\n          has issued policies requiring devices containing sensitive data be encrypted.\n\x0cSmithsonian Directive 931, Use of Computers, Telecommunication Devices\nand Networks, dated September 18, 2009, requires users to ensure that\nsensitive data stored on laptops or other portable hardware is encrypted. The\nOCIO technical note IT-930-TN28 establishes the procedures and\nresponsibilities for implementing encryption. According to the technical note,\nthe computing device user is responsible for determining that the device may\nbe used to store sensitive information. The computing device user contacts\nthe unit\xe2\x80\x99s IT staff, who is responsible for licensing and installing encryption\nsoftware. The technical note establishes that whole disk encryption must be\nused if sensitive data is stored on a laptop computer.\n\nIn response to the original audit recommendation, management took the\nfollowing measures:\n\nThe Office of the Chief Information Officer (OCIO) provided information for\nSmithsonian units to directly procure a range of approved encrypted devices\nand encryption software. The CIO distributed a Smithsonian-wide email to\nremind staff of their role and responsibilities for protecting sensitive\nSmithsonian information using these approved technologies. In addition,\nOCIO installs encryption on portable or desktop computers on request.\n\nRESULTS OF OIG REVIEW\n\nIn December 2012 and January 2013, we tested a sample of laptops in four\nunits that routinely handle sensitive information and found that many laptop\ncomputers were not encrypted. We found that 11 of 15 laptops tested did not\nhave whole disk encryption installed. Of the four units visited, three units did\nnot have encryption installed on any of the laptop computers tested. Several\nof the computers tested were used by senior-level management. Several\nstaff indicated that they assumed the laptop computers were configured\naccording to Smithsonian requirements and were unaware that encryption\nwas not installed.\n\nIf a laptop computer that is not secured with encryption is lost or stolen, the\ninformation contained on the laptop can be easily obtained without\nknowledge of user passwords. If the information on the laptop computer is\nsecurely encrypted, it would be unlikely or impractical for anyone to retrieve\nit without the decryption key.\n\nCONCLUSION AND RECOMMENDATION\n\nThe controls in place are not adequate to ensure that laptop computers that\nmay contain sensitive information are secured with an appropriate encryption\ntechnology. Staff were not knowledgeable about how the equipment they use\nwas configured and expected it to be configured appropriately for its\nintended use. Therefore, the original recommendation will remain open and\nwe further recommend that the USFA/CFO, in coordination with the other\nUnder Secretaries, direct Unit IT staff to:\n\n\n                                       2\n\n\x0c   1. Determine which laptop computers in their inventory may be used to\n      store sensitive data and, with assistance from OCIO, configure those\n      computers with whole drive encryption.\n\n   2. Identify all laptop computers that will not be configured with\n      encryption and clearly indicate to users with a prominent label that\n      those computers must not be used to store sensitive information.\n\nIn addition, we recommend that the Chief Information Officer:\n\n   3. Revise IT-930-TN28 to assign responsibility to staff with the\n      knowledge and skills to ensure laptop computers are configured with\n      appropriate encryption technology.\n\nManagement has concurred with the recommendations and developed a plan\nto implement them. We believe that the proposed actions, when\nimplemented, will meet the intent of these recommendations. We have\nincluded management\xe2\x80\x99s full response in Appendix A.\n\nWe note that the original recommendation is to enforce the existing\nSmithsonian policy, which requires all mobile devices that may be used to\nstore sensitive information be encrypted. This includes devices such as\nportable storage, tablets, and smart phones. When requesting that we close\nthe original recommendation, please address how the Smithsonian is\nimplementing its policy with respect to other types of mobile devices.\n\n\n\n\n                                      3\n\n\x0cAPPENDIX A. MANAGEMENT\xe2\x80\x99S RESPONSE\n\n\n\n\n\n                                4\n\n\x0cAPPENDIX A. MANAGEMENT\xe2\x80\x99S RESPONSE (CONTINUED)\n\n\n\n\n\n                                5\n\n\x0c'